Old Trojan Finds A New Friend In Facebook

One of the most active spam bots, Asprox, has a new gimmick for a Trojan it's been e-mailing around for the past six months: Facebook. Its botmasters are trying to cash in on last week's blocked accounts and unfriending frenzy.

Wednesday, November 17, was National Facebook Unfriend day, the brainchild of late night talk show comedian Jimmy Kimmel. However, the day before, Facebook confirmed that it was automatically disabling accounts it found to be suspiciously "fake." In the process it said a "bug" made it also disable a bunch of real users' accounts.

Lots of information and disinformation began to promptly circulate about the accounts being blocked because Facebook required users to scan and send a government-issued identification in order to restore accidentally blocked accounts, reports confirm. And, as crazy as that sounds, Facebook Support did send out legitimate messages to users of blocked accounts saying so.

All of this looked like the stuff of a good spam to Asprox, says M86 Security Labs. Researchers there on Friday began tracking a new spam campaign that claims it is from Facebook Support. The spam messages includes a nasty surprise -- the Sasfis Trojan, "a downloader trojan which, once on the system, is used to pull down other malware such as banking trojans, fake antivirus and keyloggers," Bradley Anstis, vice president of
Technology Strategy of M86 Security says.

The Sasfis trojan succeeds when it gets folks to open up its executable files sent as an attachment. The files are hidden behind some kind of recognizable icon -- often a Microsoft Excel icon, though in the Facebook spam it was a .zip file.

"We've seen two campaigns from Asprox in the last few days, the first was the DHL spam and now the Facebook spam, which indicates that they're constantly trying new ways to get users infected with the downloader trojan. This Facebook spam campaign has been observed throughout our global spamtraps, showing that it is indeed widespread,” Anstis told Hot Hardware.

Since the trojan is a months-old variant -- and brazenly comes in as an attachment -- most good anti-malware spam blockers should detect it. Then again, spam bots are a percentage game -- it only takes a few successful infections for them to succeed, and we're talking Facebook users here. Just sayin'.